Handling JSF session timeouts

I'm having a problem when my session in jsf times out. I have a logoutBean that handles the logout functionality for my app. The problem comes in when the session expires after period of time with no activity on the app. If i try then call the logout() method in my logoutBean i get the following error in Tomcat5.5 listed below (this is only a short extract, the exception thrown is a lot longer) Any idea on how to check if the session has expired before you submit a request??
SEVERE: Managedbean TopBean could not be created Can't instantiate class: 'za.co
.vodacom.rms.frontend.bean.TopBean'.. class za.co.vodacom.rms.frontend.bean.TopB
ean : java.lang.NullPointerException
javax.faces.FacesException: Can't instantiate class: 'za.co.vodacom.rms.frontend
.bean.TopBean'.. class za.co.vodacom.rms.frontend.bean.TopBean : java.lang.NullP
ointerException
at com.sun.faces.config.ManagedBeanFactory.newInstance(ManagedBeanFactor
y.java:229)
at com.sun.faces.application.ApplicationAssociate.createAndMaybeStoreMan
agedBeans(ApplicationAssociate.java:306)
at com.sun.faces.el.VariableResolverImpl.resolveVariable(VariableResolve
rImpl.java:97)
at com.sun.faces.el.impl.NamedValue.evaluate(NamedValue.java:145)
at com.sun.faces.el.impl.ComplexValue.evaluate(ComplexValue.java:166)
at com.sun.faces.el.impl.ExpressionEvaluatorImpl.evaluate(ExpressionEval
uatorImpl.java:263)

Here's a listing of my bean :
public class TopBean {
     private UserBean userBean = null;
//some code other code
public void logoff() {
          HttpSession session = (HttpSession)FacesContext.getCurrentInstance().getExternalContext().getSession(false);
          if (session==null) {
               System.out.println("Session is null");
          } else {
               UserController userCon = new UserController();
               if (userCon.logoffUser(userBean)) {
                    System.out.println("successful logout");
               } else {
                    System.out.println("Unsuccessful logout");
I have a logoff button on a jsp page:
<h:commandButton image="images/logoff.gif" alt="Logoff" action="#{TopBean.logoff}" styleClass="linkButton" onclick="javascript:logoffConfirm()"/></td>
The session timeout is 30minutes
<session-config>
     <session-timeout>30</session-timeout>
</session-config>
If after the session times out, i decide to click on logoff so that my logged_on status in my database is updated it throws an exception that it cannot instantiate the class TopBean (i have a bit field in my user table logged_on that needs to get updated otherwise on next logged my app throws error with "user is already logged on"). My bean TopBean gets initialised directly after I log in to my app. As you can see i'm already trying to validate if the session is null, however before i can even call the method it throws "cannot instantiate class TopBean" exception. This indicates to me that once the session has expired, i clears what ever objects that were being held in that session

Similar Messages

JSF 1.2 Session Timeout Issue

I am using using:
JSF- Sun RI (1.2)
Websphere (6.1)
Facelets (1.?)
RichFaces (3.3.2)
I am having an issue with session timeouts that shows up in two different ways:
Scenario 1) the client makes an ajax call after the session has timed out
Scenario 2) the client makes a standard request after the session has timed out - navigating to a new page
I seem to be able to address one or the other, but I can't seem to find a solution that fixes both scenarios.
For Scenario 1, I have the client-side A4J.AJAX.onExpired function defined and that is currently working for session timeouts that are discovered via an ajax request.
However, if I start making changes to try and address the other scenario, it seems to break the A4J javascript function.
For Scenario 2, I have tried a number of suggestions that I've found online:
1) I've tried to configure the error page in web.xml:
<error-page>
     <exception-type>javax.faces.application.ViewExpiredException</exception-type>
     <location>/timeout.jsf</location>
</error-page>
However, anything I seem to try around this solution still winds up with a ViewExpiredException. I've tried to have timeout.jsf redirect to the login page and I get a ViewExpiredException on the login page when the redirect happens. I've tried to just render a timeout page with a link the user can click on to go to the login page and that fails as well.
2) I've tried the phase listener and had little success too.
3) I tried a NavigationHandler
One thing I did have working, I believe, was with the phase listener approach, but I had a difficult time displaying a session timed out message upon redirect, but not the first time the user visited the page.
I'm relatively new to JSF and probably don't understand the app life cycle well enough, I guess, but is there a solution that addresses all of these issues:
1) works for AJAX calls
2) works for actual navigation
3) sends the user back to the login page with some indication as to "why", but gracefully handles the first visit to the login page (or a logout)
Thanks for any suggestions you can offer.

Sorry, but I have to disagree. Loading JavaScript at the beginning of your page would only make the page load slower (and "ruin" the user's experience when they see the page being loaded steadily) and also cause unforeseen issues than to leave it at the bottom of your page.
Big companies like Google (1999), Yahoo (2000), Oracle (2001) and many others are doing the opposite to what you have said. Look at the way they load their JavaScripts and you'll see.
It's also good practice to zip your content from the server before sending it to the client's web browser to increase performance. Of course, this will depend on whether your web browser supports methods such as gzip, deflate, etc... and whether you use HTTP or HTTPS.
Lastly, another bad practice I often see Java programmers do is write the following all over the places:
setString, setInt, setDouble, etcInstead of using an existing feature of Java to do the same in one procedure, as in:
public static void setParameters(PreparedStatement preparedStatement, Object... values)
   throws SQLException
   for (int i = 0; i < values.length; i++) {
      preparedStatement.setObject(i + 1, values);
Then just call *setParameters* whenever you need it instead of writing multiple setString, setInt, etc statements everywhere...

Re: [iPlanet-JATO] Re: session timeout when not submitting to a handler

Mark--
I know what's happening here, but am curious about your approach. You said
in an earlier email that you were generating links directly to JSPs, but
from what you are describing, you are generating JATO-style links to access
JATO pages. Nothing wrong with that, but there is a signficant difference.
Actually, it just occurred to me, I'm wondering what your URLs look like.
The way the request dispatching works in JATO is it ignores anything after
an initial "." in the final part of the URL path. For example, a request
for "/myapp/module1/MyPage.jsp" doesn't actually try to hit the JSP, instead
it tries to hit the JATO page "/myapp/module1/MyPage".
The end result is that you may think you are accessing a JSP directly, but
are instead accessing a JATO page. The reason the request dispatching works
this way is because it is illegal to access JATO JSPs directly, and there is
actually a (disabled) JATO feature that piggybacks on the use of the
dot-delimited URL.
So, now I need to understand your intent. I wasn't really sure why you were
generating direct JSP/page links to begin with. This works against the Type
II architecture JATO uses, in which all JATO requests go back to the
controller servlet.
If you are trying to design something like a menu page, you may have thought
that it was burdensome to create a number of HREF children, plus implement
event handlers for each of them. This definitely would be burdensome beyond
just a handful of links, but this is why JATO provides other mechanisms for
doing what I'll call here "polymorphic HREFs".
Assuming this menu page scenario, the easiest thing to do is to simply use
one HREF child on the page, and add a value to it each time it is rendered
that distinguishes it from the other instances on the page. In your event
handler for the HREF, you simply check this value and use it to decide which
page to forward to. You can add a value to an HREF or Button by using the
"addExtraValue()" method. Or, if you are using JATO 1.2, you can add extra
query string NVPs right in the JSP document using the "queryParams"
attribute of the <jato:href> tag. Thus, your one HREFchild and event
handler become "polymorphic" because what they do depends on the context in
which they are invoked.
Now, I still don't have confirmation that this is what you were trying to
do, so until I do, let me explain the exception you're seeing. JATO assumes
that when a request comes in for a page that includes the pageAttributes
NVP, it is a request coming from a previously generated JATO page. Because
of the way JATO works, this means that the request dispatching code should
send the request back to the originally rendered page. For example, if Page
A renders an HREF, which the user then activates, JATO sends the request
back to Page A for handling. All of the HREFs and forms generated during
rendering of Page A actually refer back to Page A, regardless of where those
links or buttons actually pass the request in their event handlers/Command
objects.
So, what's happening when you include the pageAttributes in your HREFs is
that JATO is assuming that a request is being sent to the target page, with
the assumption that the target page has a mechanism in place to handle the
request. This assumption relies on the specification of the "originator" of
the request being specified in the request. For links/HREFs, the name and
value of the HREF is sent along with the request. For forms, the name and
value of the button that was pressed are sent in the request. JATO uses the
presence of these name/value pairs to decide which event handler, or which
Command object, to invoke to handle the request.
The exception you are receiving is saying that there was no object on the
target page that indicated it could handle the request. This is to be
expected, since you have not specified a query parameter that indicates
which CommandField child is responsible the request. However, this is where
I see the disconnect, because that is not what I believe you were trying to
do (as explained above).
So now, given all the information above, can you tell me what you're trying
to accomplish, and whether or not the info I've given you has helped you to
design a mechanism more in line with a JATO approach? If not, given that I
understand what you're trying to do, I can offer a more concrete solution.
Todd
----- Original Message -----
From: <Mark_Dubinsky@p...>
Sent: Monday, November 05, 2001 2:54 PM
Subject: [iPlanet-JATO] Re: session timeout when not submitting to a handler
This is the exception we get:
(And BTW, leaving a blank value for the pageAttributes doesn't help)
[05/Nov/2001 17:49:18:4] error: <portalServlet.processRequest>
javax.servlet.ServletException: The request was not be handled by the
specified handler
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled Code)
at
javax.servlet.ServletException.<init>(ServletException.java:107)
at
com.putnaminvestments.common.jato.ApplicationServletBase.dispatchRequ
est(Compiled Code)
at
com.putnaminvestments.common.jato.ApplicationServletBase.processReque
st(Compiled Code)
at
com.putnaminvestments.bp.portal.portalServlet.processRequest(Compiled
Code)
at
com.putnaminvestments.common.jato.ApplicationServletBase.doPost(Compi
led Code)
at
com.putnaminvestments.common.jato.ApplicationServletBase.doGet(Compil
ed Code)
at javax.servlet.http.HttpServlet.service(Compiled Code)
at com.putnaminvestments.bp.bpServletBase.service(Compiled
Code)
at javax.servlet.http.HttpServlet.service(Compiled Code)
at
com.netscape.server.servlet.servletrunner.ServletInfo.service(Compile
d Code)
at
com.netscape.server.servlet.servletrunner.ServletRunner.execute(Compi
led Code)
at com.kivasoft.applogic.AppLogic.execute(Compiled Code)
at com.kivasoft.applogic.AppLogic.execute(Compiled Code)
at com.kivasoft.thread.ThreadBasic.run(Native Method)
at com.kivasoft.thread.ThreadBasic.run(Native Method)
at com.kivasoft.thread.ThreadBasic.run(Native Method)
at com.kivasoft.thread.ThreadBasic.run(Native Method)
at com.kivasoft.thread.ThreadBasic.run(Compiled Code)
at java.lang.Thread.run(Compiled Code)
--- In iPlanet-JATO@y..., "Todd Fast" <Todd.Fast@S...> wrote:
Mark--
Initially we tried to add the pageAttributes NVP as well, but that
was
causing an exception, so we stopped doing that.That's odd--what was the exception?
Our problem now is that when the SessionTimes out it does not go
to
onSessionTimeout method as in processRequestMethod of the
ApplicationServletBase it looks for pageAttributes. If it is notnull
then only onSessionTimeOut method is called.This is sadly the only technique for determining if a session hastimed out
and a new one been created, versus the initial creation of thesession.
Is there any work around for this? Maybe you can suggest how topass
the pageAttributes without causing the initial exception?Definitely--let me know what the exception was and I'll be able tosuggest
something. However, it shouldn't really be any harder thanappending a
"jato.pageAttributes=" empty NVP on the HREF.
Todd
Todd Fast
Senior Engineer
Sun/Netscape Alliance
todd.fast@s...
For more information about JATO, please visit:
http://developer.iplanet.com/tech/appserver/framework/index.jsp

OK, here's what I'm trying to do: We have, like you said, a menu
page. The pages that it goes to and the number of links are all
variable and read from the database. In NetD we were able to create
URLs in the form
pgXYZ?SPIDERSESSION=abcd
so this is what I'm trying to replicate here. So the URL that works
is
pgContactUs?GXHC_GX_jst=fc7b7e61662d6164&GXHC_gx_session_id_=cc9c6dfa5
601afa7
which I interpreted to be the equivalent of the old Netd way. Our
javascript also loads other frames of the page in the same manner.
And I believe the URL-rewritten frame sources of a frameset look like
this too.
This all worked except for the timeout problem. In theory we could
rewrite all URLs to go to a handler, but that would be...
inconvenient.

How are session timeouts handled

Hi,
Can anyone tell me how session timeouts are handled by the Servlet
Engine.
What is the exact role of the SessionInvalidator class. Are sessions
correctly timed
out by iAS, because I get strange behaviour in handling session timeouts
in my application
which is following MVC architecture.
What I am observing is that sessions dont seem to timeout after the
length of
time specified and sometimes they do timeout correctly. The difference
between the
time the session should have timed out and when it actually does is too
high, which is
really a concern for us.
Thanks in advance to evryone.
Amar bhat.

Hi AmarBhat,
Actually this is a bug in iAS (bug id: 556909, Status: Fixed ). This is
happeninig because iAS has a bad ( late) cleanup of timed out sessions. The
getSession method (HttpSession) calls IsRequestedSessionIdValid() as a check
for timeout and this check returns "Valid" even after a couple of seconds of
timeout. Thus, the getSession from Java layer returns the valid session. So
you are still able to read and write data on the session.
We can specify iAS the session to invalidate itself after being timeout.
Alternately, we can do it manually with HttpSession method, invalidate().
Plese get back if you have any issues.
Thanks,
Rakesh.
Developer -support, iAS.
amar bhat wrote:
Hi,
Can anyone tell me how session timeouts are handled by the Servlet
Engine.
What is the exact role of the SessionInvalidator class. Are sessions
correctly timed
out by iAS, because I get strange behaviour in handling session timeouts
in my application
which is following MVC architecture.
What I am observing is that sessions dont seem to timeout after the
length of
time specified and sometimes they do timeout correctly. The difference
between the
time the session should have timed out and when it actually does is too
high, which is
really a concern for us.
Thanks in advance to evryone.
Amar bhat.

Handle Session Timeout

I am using JDeveloper 11.1.1.6.
I am trying to gracefully handle session time outs in ADF. My application has been experiencing the 'canned' ADF session timeout popup when I am logged into my application and the session has timed out. That same popup is rendered even if I am sitting at my login page but haven't signed in.
I have followed Frank Nimphius's guidance as explained in the following forum to have my application re-direct to the login page after session timeout. That works great thanks to his well detailed document.
ADF Faces : session timeout best practice
The concern I have now is if I am sitting at my login page and my session times out, the application stays at the login page. I now type my credentials and click log in. Because the application thinks my session is timed out, I am taken back to the login page. Ideally I wouldn't think the login page would hold a session. Do you have any guidance on how I can get around this.

Hi,
what about using programmatic login, in which case the login form is part of a public page (see http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html for an example you can download)
Frank

OAM Session timeout

Hi All,
I have the following set up configured.
1)Deployed a web application in a plain(non oim suite related) weblogic domain
2)Installed OHS,OAM,OIM and OUD
3)Configured OHS,OAM,OIM and OUD for SSO in OAM with the external URL from the independent weblogic domain
4)Independent Weblogic domain is configured with OAMIdentityAsserter and OUD Authentication provider
My query is as below.
I have the session time out value configured as 600(seconds) in weblogic.xml of the web application.
Now when the access the web application through OHS SSO URL, the session is not waiting for 600 seconds to timeout,but getting invalidated in around 30 seconds.
How to resolve this issue.
Please advice.
I have the following configured in OHS proxy.
<Location /bc>
SetHandler weblogic-handler
WebLogicHost ZZZZZZ.oracle.com
WebLogicPort 9001
</Location>
firebug show the following URL getting hit just after the session invalidation http://ZZZZZ.com/oam/server/obrareq.cgi?encquery%3DHBGRZNUhr5Ucxs
and the following error gets logged in oam server
"Session invalid as returned by CHECK_VALID_SESSION_RESPONSE responseEvent fail>"
Kindly suggest.
Thanks,
Praveen

Verify whats session timeout value present in below config:
http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/session.htm#AIAAG354
To edit the OAM common session settings:
Log in to Oracle Access Manager.
Click System Configuration.
From the Common Configuration panel, double-click Common Settings.
In the Session area:
In Session Lifetime, increase the current value.
In IdleTimeout (minutes), increase the current value.
Click Apply.
~J

How to set session timeout per user

Hi,
Ho do I set the session timeout per User in the
Application.cfm File??
I tried using
<cfif SESSION.UID EQ 1>
<CFAPPLICATION NAME="appControl" SESSIONMANAGEMENT="Yes"
sessiontimeout="#CreateTimeSpan(0,0,20,0)#">
</cfelse>
<CFAPPLICATION NAME="appControl" SESSIONMANAGEMENT="Yes"
sessiontimeout="#CreateTimeSpan(1,0,0,0)#">
</cfif>
But this didnt work because the cfapplication seems to have
to be at the top before I call the variable SESSION.UID which
I set on my login page..
Someone know how to do this??
Regards
Martin

Martin,
Your code example cannot work because the "session" scope
doesn't exist until your application scope is defined. So you have
to handle this manually. Here's how you can get it done. First,
define your application to the maximum sessiontimeout you want to
have.
<CFAPPLICATION NAME="appControl" SESSIONMANAGEMENT="Yes"
SESSIONTIMEOUT="#CreateTimeSpan(1,0,0,0)#">
Then, I don't know how you are doing your login
authentication but when you have authenticated the user, you need
to define the userid and the most recent activity in the session.
Also determine your timeout value based on the userid. See example:
<CFIF IS_AUTHENTICATED>
<CFSET session.user.uid = form.userid>
<CFSET session.user.most_recent_activity = now()>
<CFIF session.user.id eq 1>
<CFSET session.user.timeout_mins = 20>
<CFELSE>
<CFSET session.user.timeout_mins = 1440>
</CFIF>
</CFIF>
Now, all you have to do is check whether the user has been
idle for too long and kill the session by purging all session
variables. For example:

<CFIF structKeyExists(session, "user") and
structKeyExists(session.user, "id")>

<CFIF datediff("n", session.user.most_recent_activity,
now()) gt session.user.timeout_mins>

<CFSET StructClear(session)>

<CFELSE>

<CFSET session.user.most_recent_activity = now()>
</CFIF>
</CFIF>

Session timeout while in a bounded taskflow.

Hi all,
I have ADFSecurity configured on project.
If a session timeout occurs while we are in view1,(click dialog ok button) is redirect to login.
If a session timeout occurs while we are in some-btf,(click dialog ok button) isn't redirect to login. White page with text Session expired appears.
How can we redirect to login when a session timeout occurs while we are in a bounded TF?
I already try to add servlet filter on the FacesServlet, but when i click on the ok button, the filter isn't called.
Using JDev 12.1.3
Thanks in advance.

Session expiry has changed in 12.1.3 (see https://java.net/jira/browse/ADFEMG-264).
Have you configured the session timeout warning?
How?
Do you use the filter approach?
Have you installed an error handler in the bounded task flow?
Timo

Session Timeout - 30 minutes

Hello,
I have a problem with session timeouts @ P7.2 - session least only for 30 minutes.
Although I've been playing with domain.xml a lot, I haven't succeeded
It is SP7.2 installed @ Sun App.Server 9
Thanks for help.

He is right, session timeout is handle by AM. It is located under Configuration --> Global Properties --> Session --> Dynamic Attributes --> Maximum Idle Time

ISE 1.1 - switch ignores "Session-Timeout"

hi all,
I'm playing around with ISE guest service and have some difficulty with Time Profiles.
After guest logs in, Radius attributes are sent to the switch (3750G) one of them is Session-Timeout which should be similar to 1h (DefaultOneHour)
According to ISE logs and switch debugs, ISE did it well and this attribute was sent but it seems that the switch simply ignores it.
May 24 07:03:11.658: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.100.194(1029) -> 10.1.100.2(389), 1 packet19:46:57: RADIUS: COA received from id 36 10.1.100.6:64700, CoA Request, len 18319:46:57: RADIUS/DECODE: parse unknown cisco vsa "reauthenticate-type" - IGNORE19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid19:46:57: RADIUS(00000000): sending19:46:57: RADIUS(00000000): Send CoA Ack Response to 10.1.100.6:64700 id 36, len 3819:46:57: RADIUS: authenticator 0B 30 6E 9B DF 97 0D A0 - D9 8B A5 5A 11 39 3E 4119:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   11 42 82 E2 52 68 DF 28 CD 43 AE 88 0C 5D 91 10            [ BRh(C]]19:46:57: RADIUS/ENCODE(00000026):Orig. component type = Dot1X19:46:57: RADIUS(00000026): Config NAS IP: 0.0.0.019:46:57: RADIUS(00000026): Config NAS IPv6: ::19:46:57: RADIUS/ENCODE(00000026): acct_session_id: 2719:46:57: RADIUS(00000026): sending19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:57: RADIUS(00000026): Send Access-Request to 10.1.100.6:1812 id 1645/25, len 26719:46:57: RADIUS: authenticator 6D 92 DC 77 87 47 DA 8E - 7D 6B DD DD 18 BE DC 3319:46:57: RADIUS: User-Name           [1]   14 "0016d329042f"19:46:57: RADIUS: User-Password       [2]   18 *19:46:57: RADIUS: Service-Type        [6]   6   Call Check                [10]19:46:57: RADIUS: Vendor, Cisco       [26] 31 19:46:57: RADIUS:   Cisco AVpair       [1]   25 "service-type=Call Check"19:46:57: RADIUS: Framed-IP-Address   [8]   6   10.1.100.194 19:46:57: RADIUS: Framed-MTU          [12] 6   1500 19:46:57: RADIUS: Called-Station-Id   [30] 19 "00-24-F9-2D-83-87"19:46:57: RADIUS: Calling-Station-Id [31] 19 "00-16-D3-29-04-2F"19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   AD EB 99 4A F2 B9 4E BB 2E B3 E2 04 BE 5B 0C 72             [ JN.[r]19:46:57: RADIUS: EAP-Key-Name        [102] 2   *19:46:57: RADIUS: Vendor, Cisco       [26] 49 19:46:57: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A01280100000016043E0D23"19:46:57: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]19:46:57: RADIUS: NAS-Port            [5]   6   50107 19:46:57: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/7"19:46:57: RADIUS: Called-Station-Id   [30] 19 "00-24-F9-2D-83-87"19:46:57: RADIUS: NAS-IP-Address      [4]   6   10.1.100.1 19:46:57: RADIUS(00000026): Sending a IPv4 Radius Packet19:46:57: RADIUS(00000026): Started 5 sec timeout19:46:57: RADIUS: Received from id 1645/25 10.1.100.6:1812, Access-Accept, len 27219:46:57: RADIUS: authenticator F1 5F 57 72 FD 80 95 20 - 46 47 B5 CE DF 63 6E 1A19:46:57: RADIUS: User-Name           [1]   19 "[email protected]"19:46:57: RADIUS: State               [24] 40 19:46:57: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]19:46:57: RADIUS:   30 31 32 38 30 31 30 30 30 30 30 30 31 36 30 34 [0128010000001604]19:46:57: RADIUS:   33 45 30 44 32 33            [ 3E0D23]19:46:57: RADIUS: Class               [25] 49 19:46:57: RADIUS:   43 41 43 53 3A 30 41 30 31 32 38 30 31 30 30 30 [CACS:0A012801000]19:46:57: RADIUS:   30 30 30 31 36 30 34 33 45 30 44 32 33 3A 69 73 [00016043E0D23:is]19:46:57: RADIUS:   65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 37   [ e/124036791/297]19:46:57: RADIUS: Session-Timeout     [27] 6   2940 19:46:57: RADIUS: Termination-Action [29] 6   0 19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   26 46 2C B6 75 95 AF 37 E6 3B B1 CB F2 70 E0 8D           [ &F,u7;p]19:46:57: RADIUS: Vendor, Cisco       [26] 72 19:46:57: RADIUS:   Cisco AVpair       [1]   66 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS: Vendor, Cisco       [26] 42 19:46:57: RADIUS:   Cisco AVpair       [1]   36 "profile-name=Microsoft-Workstation"19:46:57: RADIUS(00000026): Received from id 1645/2519:46:57: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNOREMay 24 07:03:19.132: %MAB-5-SUCCESS: Authentication successful for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23May 24 07:03:19.132: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23May 24 07:03:19.140: %EPM-6-POLICY_REQ: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| EVENT APPLYMay 24 07:03:19.165: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACL-4fbcd736| EVENT DOWNLOAD-REQUEST19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid19:46:57: RADIUS(00000000): Config NAS IP: 0.0.0.019:46:57: RADIUS(00000000): sending19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:57: RADIUS(00000000): Send Access-Request to 10.1.100.6:1812 id 1645/26, len 14419:46:57: RADIUS: authenticator 1A 52 18 C5 25 A7 5C DC - 29 C9 5C 7C C5 B3 FC 5819:46:57: RADIUS: NAS-IP-Address      [4]   6   10.1.100.1 19:46:57: RADIUS: User-Name           [1]   38 "#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS: Vendor, Cisco       [26] 32 19:46:57: RADIUS:   Cisco AVpair       [1]   26 "aaa:service=ip_admission"19:46:57: RADIUS: Vendor, Cisco       [26] 30 19:46:57: RADIUS:   Cisco AVpair       [1]   24 "aaa:event=acl-download"19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   2B 6B 13 37 0D 25 11 E9 6A 56 35 D8 91 9F EF F0           [ +k7?jV5]19:46:57: RADIUS(00000000): Sending a IPv4 Radius Packet19:46:57: RADIUS(00000000): Started 5 sec timeoutMay 24 07:03:19.191: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp 10.1.100.194(2125) -> 10.1.100.6(8443), 1 packet19:46:57: RADIUS: Received from id 1645/26 10.1.100.6:1812, Access-Accept, len 35919:46:57: RADIUS: authenticator 31 B0 73 93 CA 0E 5C 7C - 11 29 AA 57 6C A1 53 D819:46:57: RADIUS: User-Name           [1]   38 "#ACSACL#-IP-Contractors-ACL-4fbcd736"19:46:57: RADIUS: State               [24] 40 19:46:57: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]19:46:57: RADIUS:   30 31 36 34 30 36 30 30 30 30 30 30 35 44 34 46 [0164060000005D4F]19:46:57: RADIUS:   42 44 44 44 33 37            [ BDDD37]19:46:57: RADIUS: Class               [25] 49 19:46:57: RADIUS:   43 41 43 53 3A 30 61 30 31 36 34 30 36 30 30 30 [CACS:0a016406000]19:46:57: RADIUS:   30 30 30 35 44 34 46 42 44 44 44 33 37 3A 69 73 [0005D4FBDDD37:is]19:46:57: RADIUS:   65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 38   [ e/124036791/298]19:46:57: RADIUS: Termination-Action [29] 6   1 19:46:57: RADIUS: Message-Authenticato[80] 18 19:46:57: RADIUS:   80 EF 5B 80 76 F1 C9 37 0B 25 34 37 10 57 CC 44          [ [v7?47WD]19:46:57: RADIUS: Vendor, Cisco       [26] 47 19:46:57: RADIUS:   Cisco AVpair       [1]   41 "ip:inacl#1=permit udp any any eq domain"19:46:57: RADIUS: Vendor, Cisco SW3750-1# [26] 48 19:46:57: RADIUS:   Cisco AVpair       [1]   42 "ip:inacl#2=permit ip any host 10.1.100.6"19:46:57: RADIUS: Vendor, Cisco       [26] 57 19:46:57: RADIUS:   Cisco AVpair       [1]   51 "ip:inacl#3=deny ip any 10.0.0.0 0.255.255.255 log"19:46:57: RADIUS: Vendor, Cisco       [26] 36 19:46:57: RADIUS:   Cisco AVpair       [1]   30 "ip:inacl#4=permit ip any any"19:46:57: RADIUS(00000000): Received from id 1645/26May 24 07:03:19.216: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACSW3750-1#SW3750-1#SW3750-1#L-4fbcd736| EVENT DOWNLOAD-SUCCESSMay 24 07:03:19.216: %EPM-6-POLICY_APP_SUCCESS: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-Contractors-ACL-4fbcd736| RESULT SUCCESSMay 24 07:03:20.147: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D2319:46:58: RADIUS/ENCODE(00000026):Orig. component type = Dot1X19:46:58: RADIUS(00000026SW3750-1#SW3750-1#SW3750-1#SW3750-1#): Config NAS IP: 0.0.0.019:46:58: RADIUS(00000026): Config NAS IPv6: ::19:46:58: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.619:46:58: RADIUS(00000026): Sending a IPv4 Radius Packet19:46:58: RADIUS(00000026): Started 5 sec timeout19:46:58: RADIUS: Received from id 1646/35 10.1.100.6:1813, Accounting-response, len 38SW3750-1#
SW3750-1#sh authe sess int g 1/0/7 Interface: GigabitEthernet1/0/7 MAC Address: 0016.d329.042f IP Address: 10.1.100.194 User-Name: [email protected] Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Group: N/A ACS ACL: xACSACLx-IP-Contractors-ACL-4fbcd736 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A01280100000016043E0D23 Acct Session ID: 0x0000001B Handle: 0x2F000017Runnable methods list: Method   State mab      Authc Success dot1x    Not runSW3750-1#
Has anyone encountered similar thing?
I tried 12.2(58) and now Im testing
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(1)SE2, RELEASE SOFTWARE (fc3)
but in both cases it is similar.
regards
Przemek

Hi Sebastian,
thx a lot those 2 commands solved the issue, my mistake. Now I can see remaining time for the session
SW3750-1#sh auth sess int g1/0/7 Interface: GigabitEthernet1/0/7 MAC Address: 0016.d329.042f IP Address: 10.1.100.194 User-Name: [email protected] Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Group: N/A ACS ACL: xACSACLx-IP-Contractors-ACL-4fbcd736 Session timeout: 28800s (server), Remaining: 28780s Timeout action: Terminate Idle timeout: N/A Common Session ID: 0A012801000000221DE0F555 Acct Session ID: 0x0000002B Handle: 0x99000023Runnable methods list: Method   State mab      Authc Success dot1x    Not run
regards
Przemek

In APEX clicking the hyper link doesn't trigger session timeout page

Hi All,
I have a question about the session time out in APEX application. I have created a simple APEX application. In the SQL report region section, i have code like this:
SELECT DOC_Name, DOC_URL,
'<a href="' || DOC_URL || ' target="_blank"/">Download file</a>' pdf_link
FROM test_table
where emp_number =00010001
When user clicks on the hyper link, it will display the destination page to user(for example if DOC_URL = 'http://forums.oracle.com', it will display the oracle forum page in a new browser).
But the issue is that, after user's session timeout (I set for 240 seconds through Shared Components>Edit Security Attributes, i set max the session timeout for example 240 seconds), when i click on this hyperlink, it doesn't trigger my session timeout page and it still displays the page (oracle forum page).
Why in APEX clicking the hyper link doesn't trigger session timeout page after the user session timeout???
how to implememt or fix to trigger the session timeout page after clicking on the hyperlinks?
(BTW, our APEX version is 3.2)
Thanks!

Hi Lily,
the reason for that behavior is that APEX is not involved anymore if you click on an external link. That's completely handled by your browser.
To involve APEX timeout handling you could redirect to a specific page in your application which performs the final redirect.
For example:
1) Create a new page 999
2) Create hidden page item P999_URL
3) Create a before header PL/SQL process with the following source
owa_util.redirect_url('http://'||:P999_URL);
apex_application.g_unrecoverable_error := TRUE;If you want to embed a link, create a link to page 999 and set the page item P999_URL to forums.oracle.com
You could also add a white list into the above code to verify that you are just redirecting to valid URLs, so that nobody is using your trusted application URL for phishing attacks.
Hope that gives you a direction
Patrick
Regards
Patrick
My Blog: http://www.inside-oracle-apex.com
APEX 4.0 Plug-Ins: http://apex.oracle.com/plugins
Twitter: http://www.twitter.com/patrickwolf

How to handle expired sessions in portals

Hai all,
we have implemented a logic which is given in the following blog (to handle expired sessions).
(Blog from--Thomas Jung)
/people/thomas.jung3/blog/2004/12/06/bsp-developers-journal-part-xv--stateful-bsp-and-timeouts
this is working fine when we run application from workbench organizer.but when i run the same application through Portal,it was failed.
if someone comeacross this situation please kindly send your comments and solution to this problem.
Thanks in advance,
Innu.

Hai Durai,
Thanks for the immediate response.
Here i will give the clear idea about the failure situation.
IF gv_load IS INITIAL.
    DATA: fields TYPE tihttpnvp.
    FIELD-SYMBOLS: <wa_fields> LIKE LINE OF fields.
    CALL METHOD request->get_form_fields
      CHANGING
        fields = fields.
    LOOP AT fields ASSIGNING <wa_fields>.
      IF <wa_fields>-name CS 'htmlb' OR
         <wa_fields>-name CS 'HTMLB'.
        gv_load = '-'. "False - Problem with ABAP_FALSE
       appearing the same as initial.
      ENDIF.
    ENDLOOP.
    IF gv_load IS INITIAL.
      gv_load = abap_true.
    ENDIF.
ENDIF.
IF gv_load NE abap_true.
    DATA: url TYPE string.
    DATA: page TYPE string.
    page = 'reload.htm'.
    DATA: params TYPE tihttpnvp.
    FIELD-SYMBOLS: <wa_params> LIKE LINE OF params.
    APPEND INITIAL LINE TO params ASSIGNING <wa_params>.
    <wa_params>-name = 'url1'.
    CONCATENATE 'http://sapcrmdev.server.com:8080/sap/bc/bsp/sap/'
                 'salesord/default.htm'
                INTO <wa_params>-value.
    CONCATENATE ' ' ' ' INTO <wa_params>-value.
   <b> CALL METHOD
      cl_http_ext_webapp=>create_url_for_bsp_application
      EXPORTING
        bsp_application      = 'SALESORD'
        bsp_start_page       = page
        bsp_start_parameters = params
      IMPORTING
        abs_url            = url.
    navigation->exit( url ).
ENDIF.</b>
The imported parameter URL,which loads the reload page with parameter URL1.
Exactly here i am getting the problem.
[My application is launching through iViews as external services.Clearly, when i launch the portals that displays different bsp applications as menu options.when i click on my application that opens another window and from there on my application runs in that window.]
As we are constructing URL1 above, we are unable to construct Portal url to reload from reload page.]
so what should exactly i send value through url1 parameter to launch my application through portal..?
if you have any sample code plz send.
Thanks,
Innu.

Need to warn user of session timeout in BSP app hap_document......

Hi,
We're using the hap_document app to allow employees to change appraisal documents in ESS and for managers to create them thru MSS....
When employees have their documents open for more than 1 hour, the next time they click on save, it takes them to the session timeout (ICM, version 6040, module icxxthr_mt.c)....
Is there a way to add a timer to the document.htm or body.htm pages in the application to start a timer, reset it each time user clicks on save, and warn him with a popup when we're within 5 minutes to a timeout...
I've read messages on the BSP thread that say...
"Document.htm is split in two frames. One hidden to enable session handling, the second one visible which contains the document.
So the document.htm is not refreshed, the second frame is refreshed. I tried your approach as well and was not able to tie the script to the second frame.
Regards and Groetjes,
Maurice"
I've also read Thomas's stateful/stateless timeout parameters article...
Can anyone help me with where I would put the timer javascript code (if not in document.htm or body.htm) and which timeout parameter to check...
Thanks for all your help,
Venkatesh

Look at the sample code..Will solve your problem..
<%@page language="abap" %>
<%@extension name="htmlb" prefix="htmlb" %>
<script type="text/javascript">
function remind() {
var msg = "Your Session will be timed out in 10 Secs";
alert(msg);
</script>
<htmlb:content design="design2003" >
<%
data: v_rem type string.
DATA: port TYPE STRING.
port = request->get_header_field( if_http_header_fields_sap=>server_port ).
DATA: services TYPE TABLE OF ICM_SINFO.
CALL FUNCTION 'ICM_GET_INFO' TABLES SERVLIST = services.
FIELD-SYMBOLS: <service> TYPE ICM_SINFO.
DATA: wait TYPE STRING.
READ TABLE services ASSIGNING <service> WITH KEY service = port.
wait = <service>-KEEPALIVE - 10.
CONDENSE wait.
concatenate `'remind(` wait `)',2000` into v_rem.
%>
<htmlb:page onLoad = "setTimeout(<%= v_rem %>)"
              title = " " >
    <htmlb:form>
      <htmlb:textView text   = "Hello World!"
                      design = "EMPHASIZED" />
      <htmlb:button text    = "Press Me"
                    onClick = "myClickHandler" />
    </htmlb:form>
</htmlb:page>
</htmlb:content>
<i>* Reward each useful answer</i>
Raja T

ADF Faces : session timeout best practice

hi
I made these small modifications to the web.xml file in the SRDemoSample application:
(a) I changed the login-config from this ...
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>infrastructure/SRLogin.jspx</form-login-page>
      <form-error-page>infrastructure/SRLogin.jspx</form-error-page>
    </form-login-config>
</login-config>... to this
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>(b) I changed the session-timeout to 1 minute.
<session-config>
    <session-timeout>1</session-timeout>
</session-config>Please consider this scenario:
(1) Run the UserInterface project of the SRDemoSample application in JDeveloper.
(2) Authenticate using "sking" and password "welcome".
(3) Click on the "My Service Requests" tab.
(4) Click on a "Request Id" like "111". You should see a detail page titled "Service Request Information for SR # 111" that shows detail data on the service request.
(5) Wait for at least one minute for the session to timeout.
(6) Click on the "My Service Requests" tab again. I see the same detail page as in (4), now titled "Service Request Information for SR #" and not showing any detail data.
question
What is the best practice to detect such session timeouts and handle them in a user friendly way in an ADF Faces application?
thanks
Jan Vervecken

Hi,
no. Here's the content copied from a word doc:
A frequent question on the JDeveloper OTN forum, and also one that has been asked by customers directly, is how to detect and graceful handle user session expiry due to user inactivity.
The problem of user inactivity is that there is no way in JavaEE for the server to call the client when the session has expired. Though you could use JavaScript on the client display to count
down the session timeout, eventually showing an alert or redirecting the browser, this goes with a lot of overhead. The main concern raised against unhandled session invalidation due to user
inactivity is that the next user request leads to unpredictable results and errors messages. Because all information stored in the user session get lost upon session expiry, you can't recover the
session and need to start over again. The solution to this problem is a servlet filter that works on top of the Faces servlet. The web.xml file would have the servlet configured as follows
1.     <filter>
2.         <filter-name>ApplicationSessionExpiryFilter</filter-name>
3.         <filter-class>
4.             adf.sample.ApplicationSessionExpiryFilter
5.         </filter-class>
6.         <init-param>
7.             <param-name>SessionTimeoutRedirect</param-name>
8.             <param-value>SessionHasExpired.jspx</param-value>
9.         </init-param>
10.     </filter>
This configures the "ApplicationSessionExpiryFilter" servlet with an initialization parameter for the administrator to configure the page that the filter redirects the request to. In this
example, the page is a simple JSP page that only prints a message so the user knows what has happened. Further in the web.xml file, the filter is assigned to the JavaServer Faces
servlet as follows
1.     <filter-mapping>
2.             <filter-name>ApplicationSessionExpiryFilter</filter-name>
3.             <servlet-name>Faces Servlet</servlet-name>
4.         </filter-mapping>
The Servlet filter code compares the session Id of the request with the current session Id. This nicely handles the issue of the JavaEE container implicitly creating a new user session for the incoming request.
The only special case to be handled is where the incoming request doesn't have an associated session ID. This is the case for the initial application request.
1.     package adf.sample;
2.
3.     import java.io.IOException;
4.
5.     import javax.servlet.Filter;
6.     import javax.servlet.FilterChain;
7.     import javax.servlet.FilterConfig;
8.     import javax.servlet.ServletException;
9.     import javax.servlet.ServletRequest;
10.     import javax.servlet.ServletResponse;
11.     import javax.servlet.http.HttpServletRequest;
12.     import javax.servlet.http.HttpServletResponse;
13.
14.
15.     public class ApplicationSessionExpiryFilter implements Filter {
16.         private FilterConfig _filterConfig = null;
17.
18.         public void init(FilterConfig filterConfig) throws ServletException {
19.             _filterConfig = filterConfig;
20.         }
21.
22.         public void destroy() {
23.             _filterConfig = null;
24.         }
25.
26.         public void doFilter(ServletRequest request, ServletResponse response,
27.                              FilterChain chain) throws IOException, ServletException {
28.
29.
30.             String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
31.             String currentWebSession = ((HttpServletRequest)request).getSession().getId();
32.
33.             boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
34.
35.             // if the requested session is null then this is the first application
36.             // request and "false" is acceptable
37.
38.             if (!sessionOk && requestedSession != null){
39.                 // the session has expired or renewed. Redirect request
40.                 ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
41.             }
42.             else{
43.                 chain.doFilter(request, response);
44.             }
45.         }
46.
47.     }
This servlet filter works pretty well, except for sessions that are expired because of active session invalidation e.g. when nuking the session to log out of container managed authentication. In this case my
recommendation is to extend line 39 to also include a check if security is required. This can be through another initialization parameter that holds the name of a page that the request is redirected to upon logout.
In this case you don't redirect the request to the error page but continue with a newly created session.
Ps.: For testing and development, set the following parameter in web.xml to 1 so you don't have to wait 35 minutes
1.     <session-config>
2.         <session-timeout>1</session-timeout>
3.     </session-config> Frank
Edited by: Frank Nimphius on Jun 9, 2011 8:19 AM

Variable Handling, use Session?

Currently a menu link 'user admin' takes you to list of users which are subscribed to topics.
The clients wants multiple menu links, e.g. 'user admin - topic', so that when they go to the user admin they are only dealing with users subscribed to a specific topic.
So I create these links with a URL variable for 'topicid' and modify the query so that it adds a filter for topicid.
Now I have pagination, edit/delete, add new user, search user controls to work with.
I've started to add hidden inputs to forms, and variables paginations to hold the topicid as I go from one page to another - but I have the fuseactions to contend with, then I'm having doubts as to whether this is the best way to do it... it just doesn't seem elegant.
So I'm pondering the suitability of the session scope, my biggest concern is that the session scope times out. So if the user is sitting on a page for 20 minutes they may get an error if they proceed to the next, so I'll have to add in error handling.
Am I missing a trick? It seems such a basic level thing to do, but I've been working on a legacy app for about 4 years now (it's rusting my brain)- it's always good to get other people's input.

Thanks, I've decided maybe I should start using ajax and jquery more. I loathe the lack of code conformity this will cause, but it needs an update!
With ajax and jquery, I won't need to pass around variables, since I'll not leave the page!
You're not leaving the page, but you're still hitting the server. It's not the "page" on the client browser that's causing the session timeouts, it's session inactivity on the server (where the session resides). So an AJAX call is just as prone to sessions having timed out as any other sort of request. Indeed the server just see "a request". It doesn't know or care whether it came from a user's activity on a browser, or some JS making the request via AJAX.
Adam

Handling JSF session timeouts

Similar Messages

Maybe you are looking for